Files
awoooi/docs/security/security-mirror-status-rollup.snapshot.json
2026-05-19 11:04:34 +08:00

730 lines
47 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_mirror_status_rollup_v1",
"status": "draft",
"date": "2026-05-17",
"mode": "mirror_only",
"rollup_status": "framework_ready_waiting_approval",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
"docs/security/security-mirror-intake-plan.snapshot.json",
"docs/security/security-mirror-route.snapshot.json",
"docs/security/security-mirror-acceptance.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json",
"docs/security/security-mirror-dry-run.snapshot.json",
"docs/security/security-approval-queue.snapshot.json",
"docs/security/security-approval-gate.snapshot.json",
"docs/security/security-approval-decision-record.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-primary-rollback-adr.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"total_contracts": 35,
"ready_for_mirror_count": 32,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0,
"approval_queue_total": 8,
"approval_review_packet_total": 8,
"approval_state_transition_rule_total": 5,
"followup_runtime_gate_template_total": 8,
"active_runtime_gate_count": 0,
"gitea_inventory_status": "partial_waiting_authenticated_inventory",
"gitea_inventory_public_only_repo_count": 2,
"gitea_inventory_local_gitea_repo_count": 4,
"gitea_inventory_export_source_option_count": 2,
"gitea_inventory_token_value_collection_allowed": false,
"gitea_inventory_import_acceptance_status": "draft_waiting_redacted_inventory_payload",
"gitea_inventory_import_acceptance_payload_count": 0,
"gitea_inventory_import_acceptance_quarantine_required": true,
"gitea_inventory_import_acceptance_execution_authorized": false,
"gitea_inventory_coverage_attestation_status": "draft_waiting_owner_attestation",
"gitea_inventory_coverage_attestation_required_count": 5,
"gitea_inventory_coverage_attestation_received_count": 0,
"gitea_inventory_coverage_attestation_execution_authorized": false,
"primary_readiness_candidate_repo_count": 8,
"github_primary_ready_count": 0,
"ref_truth_owner_response_template_count": 5,
"ref_truth_owner_received_response_count": 0,
"ref_truth_owner_accepted_response_count": 0,
"ref_truth_owner_rejected_response_count": 0,
"ref_truth_refs_sync_authorized": false,
"ref_truth_refs_delete_authorized": false,
"ref_truth_force_push_authorized": false,
"primary_rollback_adr_repo_plan_count": 7,
"primary_rollback_adr_owner_approved_count": 0,
"primary_rollback_adr_dry_run_completed_count": 0,
"primary_rollback_execution_authorized": false,
"workflow_secret_inventory_candidate_repo_count": 8,
"workflow_secret_inventory_complete_count": 0,
"workflow_secret_inventory_local_evidence_repo_count": 4,
"workflow_secret_inventory_local_workflow_file_count": 31,
"workflow_secret_inventory_unique_secret_name_count": 43,
"workflow_secret_inventory_export_request_count": 7,
"workflow_secret_inventory_export_lane_count": 5,
"workflow_secret_owner_response_template_count": 5,
"workflow_secret_owner_received_response_count": 0,
"workflow_secret_owner_accepted_response_count": 0,
"workflow_secret_owner_rejected_response_count": 0,
"owner_response_validation_packet_count": 4,
"owner_response_validation_lane_count": 4,
"owner_response_validation_template_count": 22,
"owner_response_validation_received_count": 0,
"owner_response_validation_accepted_count": 0,
"owner_response_validation_rejected_count": 0,
"owner_response_validation_cross_packet_check_count": 10,
"owner_response_validation_quarantine_required": true,
"workflow_secret_inventory_write_token_allowed": false,
"workflow_secret_modification_authorized": false,
"workflow_secret_github_hosted_runner_enable_authorized": false,
"secret_value_collection_allowed": false,
"secret_value_detected": false,
"pending_approval_count": 7,
"block_candidate_count": 1,
"dry_run_status": "contract_defined_not_executed",
"runtime_actions_executed": false,
"payloads_ingested": false
},
"progress_estimate": {
"overall_percent": 58,
"framework_percent_min": 80,
"framework_percent_max": 85,
"runtime_landing_percent_min": 35,
"runtime_landing_percent_max": 40,
"basis": [
"35 個主要 contract 中 32 個 ready、2 個 partial、1 個 contract-only、0 個 blocked。",
"S0/S2/S3/S4 多數治理、鏡像、人工批准與 source-control readiness 契約已完成草案。",
"owner responses、redacted payload ingestion、active runtime gate、GitHub primary readiness 與 AwoooP production ingestion 仍未完成或尚未批准。"
],
"interpretation": "目前處於健康的框架期後段;骨架接近完成,但仍刻意維持低摩擦,不把 read-only evidence 誤升級成 runtime enforcement。",
"not_authorization": true
},
"phase_status": [
{
"phase_id": "S0_contracts_and_boundaries",
"state": "completed",
"current_result": "Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立。",
"next_gate": "AwoooP 只讀 mirror 消費。"
},
{
"phase_id": "S1_readonly_inventory",
"state": "in_progress",
"current_result": "已完成多項 read-only evidenceS4.5 已補 Gitea authenticated/admin export requestS4.6 已補 redacted import acceptanceS4.7 已補 owner coverage attestation request但 private/internal 全量 repo list 仍需批准後補齊。",
"next_gate": "先取得 owner scope decision / coverage attestation再等待只讀 token 或 redacted admin export owner approval收到 payload 後先依 S4.6 驗收與隔離規則檢查,仍不得保存 token value。"
},
{
"phase_id": "S2_mirror_only_consumption",
"state": "draft_ready",
"current_result": "Mirror readiness、intake、event、route、acceptance、quarantine、dry-run 與 status rollup 契約已建立。",
"next_gate": "AwoooP 主線只建立 read-only / mirror-only UI 與 audit evidence不新增 execution router。"
},
{
"phase_id": "S3_approval_gate",
"state": "draft_ready",
"current_result": "Approval queue 已列出 8 個候選security_approval_gate_v1 已定義人工 gatesecurity_approval_decision_record_v1 已定義決策紀錄格式security_approval_review_packet_v1 已定義人工審查封包security_approval_state_transition_v1 已定義決策狀態轉移語義security_followup_runtime_gate_v1 已定義後續 runtime gate 準備模板S4.8 已把 Gitea queue/gate/review packet/follow-up gate 對齊 S4.7 owner attestation 先行。",
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea owner attestation + read-only inventoryreview packet、decision record、state transition 與 follow-up runtime gate template 都不等於執行授權。"
},
{
"phase_id": "S4_migration_execution",
"state": "not_started",
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary readyS4.1 已定義 workflow / secret 名稱 inventory 契約S4.2 已補 local evidenceS4.3 已補 redacted export requestS4.4 已補 rollback ADR 草案S4.5 已補 Gitea authenticated inventory export requestS4.6 已補 redacted import acceptanceS4.7 已補 owner coverage attestation requestS4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanesS4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packetS4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packetS4.13 已補四包 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes 與 4 個 reviewer audit event templates彙整 22 個 templates、received=0、accepted=0並標示 next_collection_candidate=S4.9,但 inventory status 仍 partialS4.9/S4.11/S4.12 audit events emitted 仍 0 筆GitHub target / refs truth / workflow-secret response 仍 0 筆S4.13 reviewer audit templates 也仍為 emitted=0。",
"next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes 與 4 個 reviewer audit event templatesAwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 refs truth owner response templates、依 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。"
}
],
"progress_display_policy": {
"headline_percent": 58,
"headline_status": "holding_until_owner_response_or_runtime_gate",
"why_headline_is_holding": [
"最近完成的是 S4.10 owner response request / status / audit / redaction / collection checks / intake preflight、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks以及 S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates 的框架細節,改善可見性、收件安全與稽核格式,但 owner response received / accepted 仍為 0。",
"overall_percent 只在 owner response、redacted payload ingestion、active runtime gate、GitHub primary readiness 或 AwoooP production ingestion 這些高層 gate 有實質變化時調整。",
"維持 58% 是為了避免把 read-only scaffold 誤算成 runtime enforcement、Kali scan、repo migration 或 GitHub primary cutover。"
],
"recent_micro_progress_visible": true,
"headline_can_increase_after": [
"S4.9 Gitea owner attestation response received/accepted 有實際脫敏 evidence",
"S4.10 GitHub target owner / visibility / canonical response received/accepted 有實際脫敏 evidence",
"S4.11 refs truth owner response received/accepted 有實際脫敏 evidence",
"S4.12 workflow / secret name owner response received/accepted 有實際脫敏 evidence",
"redacted payload ingestion 或 active runtime gate 在人工批准後啟用",
"GitHub primary readiness gate 的 primary_ready_count 大於 0"
],
"runtime_execution_authorized": false,
"not_authorization": true
},
"progress_delta_ledger": [
{
"delta_id": "s4_10_owner_response_request_packet",
"display_order": 1,
"completed_stage": "S4.10 GitHub target owner response request packet",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "request packet 只讓 AwoooP 顯示 owner 要回覆什麼,不代表 request sent、response received 或 approval。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_10_owner_response_template_status_ledger",
"display_order": 2,
"completed_stage": "S4.10 GitHub target owner response template status ledger",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "template status ledger 只逐項顯示 7 個 target 仍為 waiting_owner_responsereceived / accepted 皆為 0。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_10_owner_response_audit_event_templates",
"display_order": 3,
"completed_stage": "S4.10 GitHub target owner response audit event templates",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "audit event templates 仍為 template_only_not_emittedemitted_event_count=0尚未啟用 production ingestion。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_10_owner_response_redaction_examples",
"display_order": 4,
"completed_stage": "S4.10 GitHub target owner response redaction examples",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "redaction examples 只示範安全 metadata shape不代表 owner response 已收到、已接受或授權 repo / refs / primary 操作。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_10_owner_response_collection_checks",
"display_order": 5,
"completed_stage": "S4.10 GitHub target owner response collection checks",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "collection checks 只維持 request / received / accepted 狀態分離,不代表 owner response 已收到、已接受或授權 repo / refs / primary 操作。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_10_owner_response_intake_preflight_checks",
"display_order": 6,
"completed_stage": "S4.10 GitHub target owner response intake preflight checks",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "intake preflight checks 只分類可收、補證、隔離或拒收,不代表 owner response 已 accepted 或授權 repo / refs / primary 操作。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_11_ref_truth_owner_response_request_packet",
"display_order": 7,
"completed_stage": "S4.11 refs truth owner response request packet",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "request packet 只讓 AwoooP 顯示 owner 要回覆哪 5 類 refs truth 問題,不代表 request sent、response received、accepted 或 refs sync/delete/force push 授權。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_11_ref_truth_owner_response_template_status_ledger",
"display_order": 8,
"completed_stage": "S4.11 refs truth owner response template status ledger",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "template status ledger 只逐項顯示 5 類 refs truth response 仍為 waiting_owner_responsereceived / accepted 皆為 0不代表 refs sync/delete/force push 授權。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_11_ref_truth_owner_response_audit_event_templates",
"display_order": 9,
"completed_stage": "S4.11 refs truth owner response audit event templates",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "audit event templates 仍為 template_only_not_emittedemitted_event_count=0尚未啟用 production ingestion也不代表 refs sync/delete/force push 授權。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_11_ref_truth_owner_response_redaction_examples",
"display_order": 10,
"completed_stage": "S4.11 refs truth owner response redaction examples",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "redaction examples 只示範安全 metadata shape不代表 owner response 已收到、已接受或授權 refs sync/delete/force push。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_11_ref_truth_owner_response_collection_checks",
"display_order": 11,
"completed_stage": "S4.11 refs truth owner response collection checks",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "collection checks 只維持 request / received / accepted 狀態分離,不代表 owner response 已收到、已接受或授權 refs sync/delete/force push。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_11_ref_truth_owner_response_intake_preflight_checks",
"display_order": 12,
"completed_stage": "S4.11 refs truth owner response intake preflight checks",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "intake preflight checks 只分類可審、補證、隔離、拒收或等待,不代表 owner response accepted 或授權 refs sync/delete/force push。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_12_workflow_secret_name_owner_response_request_packet",
"display_order": 13,
"completed_stage": "S4.12 workflow / secret 名稱 owner response request packet",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "request packet 只讓 AwoooP 顯示 owner 要回覆哪 5 類 workflow / secret 名稱問題,不代表 request sent、response received、secret value collection、workflow 修改、runner 啟用或 GitHub primary 授權。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_12_workflow_secret_name_owner_response_template_status_ledger",
"display_order": 14,
"completed_stage": "S4.12 workflow / secret 名稱 owner response template status ledger",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "template status ledger 只逐項顯示 5 類 workflow / secret 名稱 response 仍為 waiting_owner_responsereceived / accepted 皆為 0不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_12_workflow_secret_name_owner_response_audit_event_templates",
"display_order": 15,
"completed_stage": "S4.12 workflow / secret 名稱 owner response audit event templates",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "audit event templates 仍為 template_only_not_emittedemitted_event_count=0尚未啟用 production ingestion也不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_12_workflow_secret_name_owner_response_redaction_examples",
"display_order": 16,
"completed_stage": "S4.12 workflow / secret 名稱 owner response redaction examples",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "redaction examples 只示範安全回覆形狀stored_raw_payload_allowed=false尚未收到 owner response也不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_12_workflow_secret_name_owner_response_collection_checks",
"display_order": 17,
"completed_stage": "S4.12 workflow / secret 名稱 owner response collection checks",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "collection checks 只維持 request / received / accepted 狀態分離received_response_count=0、accepted_response_count=0不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_12_workflow_secret_name_owner_response_intake_preflight_checks",
"display_order": 18,
"completed_stage": "S4.12 workflow / secret 名稱 owner response intake preflight checks",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "intake preflight checks 只分類可審、補證、隔離或拒收received_response_count=0、accepted_response_count=0不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_13_owner_response_validation_evidence_routing_rules",
"display_order": 19,
"completed_stage": "S4.13 owner response validation evidence routing rules",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "evidence routing rules 只決定 owner evidence pointer 應補證、隔離、拒收、進跨包 review 或只讀更新received_response_count=0、accepted_response_count=0不代表 approval、runtime gate 或 execution authorization。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_13_owner_response_validation_display_sections",
"display_order": 20,
"completed_stage": "S4.13 owner response validation display sections",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "display sections 只固定 AwoooP Operator Console 的 read-only 呈現順序received_response_count=0、accepted_response_count=0不代表 approval、runtime gate、execution queue 或 action button。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_13_owner_response_validation_state_transition_rules",
"display_order": 21,
"completed_stage": "S4.13 owner response validation state transition rules",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "state transition rules 只固定 owner response validation 的 read-only 狀態語義received_response_count=0、accepted_response_count=0不代表 approval、runtime gate、execution queue 或 action button。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_13_owner_response_validation_reviewer_checklist",
"display_order": 22,
"completed_stage": "S4.13 owner response validation reviewer checklist",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "reviewer checklist 只提供人工審查順序與只讀檢查提示received_response_count=0、accepted_response_count=0不代表 approval、runtime gate、execution queue 或 action button。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_13_owner_response_validation_reviewer_outcome_lanes",
"display_order": 23,
"completed_stage": "S4.13 owner response validation reviewer outcome lanes",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "reviewer outcome lanes 只把人工檢查結果分類成等待、補證、隔離、拒收、跨包 review、只讀更新候選或等待 runtime gatereceived_response_count=0、accepted_response_count=0不代表 approval、runtime gate、execution queue 或 action button。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
},
{
"delta_id": "s4_13_owner_response_validation_reviewer_audit_event_templates",
"display_order": 24,
"completed_stage": "S4.13 owner response validation reviewer audit event templates",
"progress_axis": "framework_detail",
"headline_percent_delta": 0,
"framework_delta_visible": true,
"why_headline_unchanged": "reviewer audit event templates 只定義未來可留痕的脫敏 metadata 形狀emitted_event_count=0、received_response_count=0、accepted_response_count=0不代表 production ingestion、approval、runtime gate 或 execution authorization。",
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
}
],
"next_safe_actions": [
{
"action_id": "mirror_owner_response_validation_rollup",
"title": "AwoooP 顯示四包 owner response 驗收總覽",
"mode": "observe",
"source_contract": "source_control_owner_response_validation_rollup_v1",
"allowed_processing": [
"顯示 S4.9/S4.10/S4.11/S4.12 四個 response packets",
"顯示 22 個 templates、received=0、accepted=0、rejected=0",
"顯示 10 個 cross-packet acceptance checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates 與 quarantine rules",
"只更新 read-only wording、matrix 或 readiness evidence"
],
"blocked_processing": [
"把 validation rollup 當成 approval",
"把 validation rollup 當成 runtime authorization",
"新增 repo / refs / workflow / secret / runner / primary action button"
]
},
{
"action_id": "mirror_status_rollup_to_awooop",
"title": "AwoooP 顯示資安供應鏈總覽",
"mode": "observe",
"source_contract": "security_mirror_status_rollup_v1",
"allowed_processing": [
"顯示階段狀態、contract readiness、approval queue summary",
"顯示下一個 gate",
"寫入 audit evidence"
],
"blocked_processing": [
"把 rollup 當成 runtime authorization",
"新增 scan / execute / repo / refs action button",
"把 LOW / MEDIUM observation 變成 blocking gate"
]
},
{
"action_id": "mirror_approval_review_packets",
"title": "AwoooP 顯示 8 個人工審查封包",
"mode": "approval_required",
"source_contract": "security_approval_review_packet_v1",
"allowed_processing": [
"顯示 review order、review lane、required reviewers 與 requested decision",
"顯示仍然禁止事項與 follow-up runtime gate",
"將人工決策另寫入 security_approval_decision_record_v1"
],
"blocked_processing": [
"把 review packet 當成批准",
"把 review packet 當成 execution authorization",
"新增 scan / execute / repo / refs action button"
]
},
{
"action_id": "mirror_approval_state_transitions",
"title": "AwoooP 顯示人工決策後狀態轉移",
"mode": "approval_required",
"source_contract": "security_approval_state_transition_v1",
"allowed_processing": [
"顯示 approve/reject/defer/request_more_evidence/keep_blocked 的 next state",
"顯示 approve_scope 仍需 follow-up runtime gate",
"將實際決策另寫入 security_approval_decision_record_v1"
],
"blocked_processing": [
"把 state transition 當成執行命令",
"批准後立即執行 scan / execute / repo / refs 動作",
"把 LOW / MEDIUM observation 變成 blocking gate"
]
},
{
"action_id": "mirror_followup_runtime_gate_templates",
"title": "AwoooP 顯示後續 runtime gate 準備模板",
"mode": "approval_required",
"source_contract": "security_followup_runtime_gate_v1",
"allowed_processing": [
"顯示 minimum evidence、preflight checks 與 rollback/disable requirement",
"顯示 active_runtime_gates=0",
"提醒 approve_scope 後仍需獨立 runtime gate"
],
"blocked_processing": [
"啟用 runtime gate",
"新增 scan / execute / repo / refs action button",
"把 template 當成執行授權"
]
},
{
"action_id": "review_redacted_finding_ingestion",
"title": "先審 redacted finding ingestion adapter",
"mode": "approval_required",
"source_contract": "security_approval_queue_v1",
"allowed_processing": [
"依 security_approval_gate_v1 人工審查是否可設計 redacted security_finding_v1 ingestion",
"依 security_approval_decision_record_v1 記錄人工決策",
"維持只接收摘要與 evidence_ref",
"保留 patch-only / review gate"
],
"blocked_processing": [
"保存 raw secret/token/cookie/private key/exploit payload",
"讓 AwoooP 直接啟動 scan",
"自動修復或自動封鎖 deploy"
]
},
{
"action_id": "review_gitea_readonly_inventory",
"title": "審查 Gitea private/internal 只讀 inventory",
"mode": "approval_required",
"source_contract": "gitea_repo_inventory_v1",
"allowed_processing": [
"顯示 S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation request 與 coverage gap",
"顯示 5 個 owner attestation items、received_attestation_count=0 與 accepted_attestation_count=0",
"顯示 S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response templates、intake preflight checks、outcome lanes、received_response_count=0、audit_events_emitted=0 與 rejection rules",
"在 security_approval_queue_v1、security_approval_gate_v1、security_approval_review_packet_v1 與 security_followup_runtime_gate_v1 中顯示 S4.7 owner attestation 先行條件",
"使用 read-only token 或 redacted admin export 補齊 repo list",
"收到 payload 後只做 schema / redaction / coverage gap 驗收與隔離",
"只保存 token_present=true/false",
"更新 migration matrix 與 decision table"
],
"blocked_processing": [
"保存 token value",
"使用 write-capable token",
"未完成 S4.7 owner attestation 就標記 inventory complete",
"把 S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections 或 response packet 當成 read-only inventory 已執行、audit production ingestion 或 primary approval",
"把 S4.7 owner attestation request 當成 repo migration approval",
"把 S4.6 payload 驗收當成 primary approval",
"建立 GitHub repo 或 sync refs"
]
},
{
"action_id": "review_github_target_decisions",
"title": "逐 repo 審 GitHub target / owner / visibility / canonical",
"mode": "approval_required",
"source_contract": "source_control_approval_board_v1",
"allowed_processing": [
"顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner decision response templates、received_response_count=0 與 rejection rules",
"逐 repo 更新 owner / visibility / canonical decision",
"產生 draft reconcile plan 或 ADR",
"維持 refs action disabled"
],
"blocked_processing": [
"把 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo creation、visibility change、refs sync 或 primary approval",
"建立 repo",
"修改 visibility",
"push / delete refs",
"切 GitHub primary"
]
},
{
"action_id": "review_ref_truth_owner_responses",
"title": "審查 refs truth owner response 收件包",
"mode": "approval_required",
"source_contract": "source_control_ref_truth_classification_v1",
"allowed_processing": [
"顯示 S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、templates、received_response_count=0 與 rejection rules",
"依 main/dev truth、deprecated drift、release tag、GitHub-only refs 分組給 owner 判定",
"response 通過後只更新 read-only classification、draft reconcile plan 與 readiness blocker wording",
"維持 refs action disabled"
],
"blocked_processing": [
"把 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 refs sync、delete、force push 或 primary approval",
"fetch / push / delete refs",
"rewrite branch 或 tag",
"切 GitHub primary"
]
},
{
"action_id": "review_github_primary_readiness_gate",
"title": "審查 GitHub primary readiness blockers",
"mode": "approval_required",
"source_contract": "source_control_primary_readiness_gate_v1",
"allowed_processing": [
"顯示 7 個 in-scope repos 仍 blocked",
"顯示 Gitea inventory、refs truth owner response、workflow/secret name parity 與 rollback ADR 缺口",
"要求 repo owner 補 owner / visibility / canonical 決策"
],
"blocked_processing": [
"建立 GitHub repo",
"sync refs",
"切 GitHub primary",
"停用或封存 Gitea repo"
]
},
{
"action_id": "review_github_primary_rollback_adr",
"title": "審查 GitHub primary rollback ADR 草案",
"mode": "approval_required",
"source_contract": "source_control_primary_rollback_adr_v1",
"allowed_processing": [
"顯示 7 個 in-scope repos 的 rollback ADR draft",
"顯示 owner_approved_count=0、dry_run_completed_count=0、active_cutover_count=0",
"顯示 rollback triggers、validation windows 與仍禁止事項"
],
"blocked_processing": [
"執行 rollback",
"切 GitHub primary",
"sync refs 或修改 webhook",
"停用 Gitea"
]
},
{
"action_id": "review_workflow_secret_name_inventory",
"title": "審查 workflow / secret 名稱 inventory 缺口",
"mode": "approval_required",
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"allowed_processing": [
"顯示 8 個 candidate repos 的 inventory lanes、4 個 repos 的 local evidence 與 7 個 repos 的 redacted export request",
"顯示 S4.12 owner response request packet、template statuses、audit event templates、redaction examples、collection checks、intake preflight checks、templates、received_response_count=0 與 rejection rules",
"要求 repo owner 補 redacted workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 snapshot",
"顯示 GitHub hosted runner 額度風險與 self-hosted runner owner review lane",
"response 通過後只更新 read-only inventory、export request 與 readiness blocker wording",
"只保存 secret name、owner 與 present/absent metadata不保存 value"
],
"blocked_processing": [
"把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 workflow 修改、secret 建立、runner 啟用或 primary approval",
"收集或保存 secret value",
"修改 workflow 或 webhook",
"啟用 GitHub hosted runner 或消耗 GitHub Actions 額度",
"rotate secret",
"sync refs 或切 GitHub primary"
]
},
{
"action_id": "keep_kali_execute_blocked",
"title": "Kali /execute 維持 block candidate",
"mode": "block_candidate",
"source_contract": "kali_scan_scope_approval_v1",
"allowed_processing": [
"只設計 disable / allowlist / audit gate",
"保留人工 exception 記錄",
"持續顯示 blocked reason"
],
"blocked_processing": [
"AwoooP runtime 直接呼叫 /execute",
"把 /execute 當成一般 MCP action",
"執行 shell command 自動修復"
]
}
],
"session_sync_notes": [
"本 rollup 是跨 Session 的共同讀取入口,避免 AwoooP 主線與 Security Supply Chain Session 對進度與 gate 判讀不一致。",
"S2/S3 目前仍屬框架期;狀態與人工 gate 可見,不代表 production ingestion、scan、repo migration 或 runtime enforcement 已啟用。",
"S3.1 只新增人工決策紀錄格式;決策紀錄仍維持 execution_authorized=false不可直接跳到執行面。",
"S3.2 只新增人工審查封包格式review packet 只讓 AwoooP 顯示與準備人審,不代表批准。",
"S3.3 只新增人工決策狀態轉移語義approve_scope 只進入 waiting runtime gate不代表可立即執行。",
"S3.4 只新增後續 runtime gate 準備模板active_runtime_gates=0不新增 action button。",
"S4.0 只新增 GitHub primary readiness gategithub_primary_ready_count=0不新增 repo / refs / primary switch action。",
"S4.1 只新增 workflow / secret 名稱 inventory 契約workflow_secret_inventory_complete_count=0secret_value_collection_allowed=false不新增 workflow、secret、repo、refs 或 primary switch action。",
"S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidencelocal_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43secret_value_detected=false。",
"S4.3 只新增 redacted export request packageexport_request_count=7、export_lane_count=5、write_token_allowed=false不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。",
"S4.4 只新增 GitHub primary rollback ADR 草案repo_rollback_plan_count=7、owner_approved_count=0、dry_run_completed_count=0、rollback_execution_authorized=false不切 primary、不執行 rollback。",
"S4.5 只新增 Gitea authenticated inventory export requestpublic_only_repo_count=2、local_gitea_unique_repo_count=4、export_source_option_count=2、token_value_collection_allowed=false不使用 token、不寫入 Gitea、不 sync refs。",
"S4.6 只新增 Gitea redacted import acceptancereceived_payload_count=0、accepted_payload_count=0不匯入 DB dump/git object、不寫 Gitea、不切 primary。",
"S4.7 只新增 Gitea owner coverage attestation requestrequired_attestation_item_count=5、received_attestation_count=0不把 attestation 當 migration approval。",
"S4.8 只把既有 Gitea approval queue/gate/review packet/follow-up gate 對齊 S4.7 先行條件approval_queue_total 仍為 8、active_runtime_gates 仍為 0不新增執行入口。",
"S4.9 只新增 Gitea owner attestation response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks 與 response 收件包owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_display_section_count=8、owner_response_collection_check_count=6、required_response_item_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0不把 request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks 或 response packet 當 inventory 執行、audit production ingestion 或 primary approval。",
"S4.10 新增 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、response_template_count=7、received_response_count=0、accepted_response_count=0不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。",
"S4.11 已新增 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、response_template_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 refs sync、delete、force push 或 GitHub primary approval。",
"S4.12 只新增 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、audit_events_emitted=0、response_template_count=5、received_response_count=0、accepted_response_count=0不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。",
"S4.13 只新增 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes 與 reviewer audit event templatesresponse_packet_count=4、template_count=22、received_response_count=0、accepted_response_count=0、cross_packet_check_count=10、owner_response_evidence_routing_rule_count=6、owner_response_validation_display_section_count=8、owner_response_validation_state_transition_rule_count=7、owner_response_validation_reviewer_checklist_count=9、owner_response_validation_reviewer_outcome_lane_count=7、owner_response_validation_reviewer_audit_event_template_count=4、reviewer_audit_events_emitted=0、next_collection_candidate=S4.9,不把 rollup、routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes 或 reviewer audit event templates 當 approval、runtime gate 或 execution authorization。"
],
"forbidden_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload",
"turn_low_medium_observations_into_blocking_gates"
]
}